test.sh

#!/bin/bash

set -e
export ARBORIST_DEBUG=1

# first case, prevent it from happening in the first place.
rm -rf node_modules package-lock.json
cat <<PJ > package.json
{
  "bundleDependencies": [
    "pacote",
    "npm-registry-fetch"
  ],
  "dependencies": {
    "npm-registry-fetch": "^9.0.0",
    "pacote": "^11.3.2"
  }
}
PJ

arborist reify --before=2021-04-22T18:51:09Z --quiet &>/dev/null
npm ls npm-registry-fetch

arborist reify --add=npm-registry-fetch@10.1.0 --quiet &>/dev/null
npm ls npm-registry-fetch

# arborist reify --update=npm-registry-fetch --preferDedupe --quiet &>/dev/null
# npm ls npm-registry-fetch

npm ls -a >/dev/null

if [ -d node_modules/pacote/node_modules/npm-registry-fetch ]; then
  echo 'duplicate not prevented!'
  exit 1
else
  echo 'avoided the problem!'
fi

# second case, fix it if it DOES happen using the bugged version of npm
rm -rf node_modules package-lock.json
cat <<PJ > package.json
{
  "bundleDependencies": [
    "pacote",
    "npm-registry-fetch"
  ],
  "dependencies": {
    "npm-registry-fetch": "10.1.0",
    "pacote": "11.3.2"
  }
}
PJ

arborist reify &>/dev/null
arborist reify node_modules/pacote --add=npm-registry-fetch@10 --before=2021-04-22T18:51:09Z --quiet &>/dev/null
arborist actual --save &>/dev/null
npm ls npm-registry-fetch
if ! [ -d node_modules/pacote/node_modules/npm-registry-fetch ]; then
  echo 'did not reproduce the problem :(' >&2
  exit 1
fi

# now we're in the broken state, where pacote nests a nrf 10.0, but
# we've previously installed a nrf 10.1 at the top level.  dedupe should work.

arborist reify --update=npm-registry-fetch --preferDedupe --quiet &>/dev/null
npm ls npm-registry-fetch

npm ls -a >/dev/null
if [ -d node_modules/pacote/node_modules/npm-registry-fetch ]; then
  echo 'duplicate not fixed!' >&2
  exit 1
else
  echo 'fixed the problem!'
fi